Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Slides:



Advertisements
Similar presentations
Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Advertisements

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
Quantum Software Copy-Protection Scott Aaronson (MIT) |
Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Introduction to Modern Cryptography Lecture 6 1. Testing Primitive elements in Z p 2. Primality Testing. 3. Integer Multiplication & Factoring as a One.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.
Broadcasting Protocol for an Amorphous Computer Lukáš Petrů MFF UK, Prague Jiří Wiedermann ICS AS CR.
7. Asymmetric encryption-
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
1 Lect. 15 : Digital Signatures RSA, ElGamal, DSA, KCDSA, Schnorr.
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.
Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei
Inoculation Strategies for Victims of Viruses and the Sum-of-Squares Partition Problem Kevin Chang Joint work with James Aspnes and Aleksandr Yampolskiy.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography and Network Security (CS435) Part Eight (Key Management)
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Key Agreement for Heterogeneous Mobile Ad-hoc Groups (µSTR-H) Mark Manulis Horst-Görtz Institute, Bochum (Germany)
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage Herzberg et al. Presented by: Avinash Ravi Kevin Skapinetz.
1 An Ordered Multi-Proxy Multi-Signature Scheme Authors: Min-Shiang Hwang, Shiang-Feng Tzeng, Shu-Fen Chiou Speaker: Shu-Fen Chiou.
Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Topic 26: Discrete LOG Applications
On the Size of Pairing-based Non-interactive Arguments
Digital Signature Schemes and the Random Oracle Model
Cryptography Lecture 23.
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH
Digital Signatures.
Where Complexity Finally Comes In Handy…
Where Complexity Finally Comes In Handy…
The power of Pairings towards standard model security
Cryptography Lecture 19.
Cryptography Lecture 26.
Where Complexity Finally Comes In Handy…
Presentation transcript:

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and René Peralta

Outline Motivation Blind coupon mechanism Abstract group structure Instantiating the abstract group structure How to spread alerts Conclusions and open problems

Our model Message-passing network of n nodes. Two types of nodes: regular or sentinel. Sentinel nodes run Intrusion Detection Software which looks for attacker’s presence.

The attacker… Observes all network traffic. Controls the timing and content of delivered messages.

Our goal Can sentinel nodes quickly alert all network nodes to attacker’s presence? We want to prevent the attacker from - fabricating false alerts - identifying the presence or source of alert We are attacked!

Blind coupon mechanism A blind coupon mechanism (BCM) is a PPT tuple (G, V, C, D): Key generation G(1 k ):  Outputs public and secret keys (PK, SK) and two strings (d, s).  Secret key defines the sets of dummy coupons D SK and signal coupons S SK. We call (D SK  S SK ) valid coupons. Also, d 2 D SK, s 2 S SK.

Blind coupon mechanism (cont.) Verification algorithm V PK (y) returns 1 if y is valid, 0 otherwise. Decoding algorithm D SK (y) outputs 0 if y is a dummy coupon; 1 if it is a signal coupon. Combining algorithm z à C PK (x, y) outputs a signal coupon iff one of the inputs is a signal coupon.

Blind coupon mechanism (cont.) Def: A BCM (G, V, C, D) is secure if  signal and dummy coupons look similar  cannot generate a signal coupon from scratch  combining algorithm is blinding ¼ 01 1 Pr[ ] =  ¼ 00 C(, ) 0 c ¼ 01 1 c, 1 0, 1 1

Abstract group structure (U, G, D) Special group structure yields an efficient BCM. A finite set U, a cyclic group G µ U, generated by s, and its subgroup D · G, generated by d. |G|/|D| is prime. Also, |G|/|U| and |D|/|G| are small. U G D invalid dummy signal

G D Hardness assumptions Subgroup Membership Problem: given a tuple (U, G, D, d, s) and y 2 G, it is hard to decide whether y 2 D or y 2 G n D. Many examples: DDH, QRA, Paillier, etc. G ??? ¼

Hardness assumptions (cont.) Subgroup Escape Problem: given a tuple (U, G, D, d), it is hard to find an element y 2 G n D Has not appeared in the literature before. G G ¼ ??? D

The BCM construction on (U, G, D) The BCM (G, C, V, D) is as follows: Key generation: Let PK=(U, G, d) and SK=|D|. Combining algorithm: C PK (x, y) outputs d r 0 ◦x r 1 ◦y r 2, where r 0,r 1,r 2 2 r {0,…, 2 2k -1} Verification algorithm: V PK (y) checks that y 2 G. Decoding algorithm: D SK (y) outputs 0 (dummy) if y SK =1 and outputs 1 (signal) otherwise.

Security theorem Theorem: If the subgroup membership problem and subgroup escape problems for (U, G, D) are hard, then our BCM is secure. Proof idea: C PK (x, y)=d r 0 ◦x r 1 ◦y r 2 ) it is blinding  x,y 2 D ) C PK (x,y) uniform in D  x 2 G\D ) x r1 D uniform in G\D ) C PK (x, y) uniform in G subgroup membership hard ) subgroup escape hard ) ¼ 01 1 Pr [ ] = 

Security theorem (cont.) Challenge: Find concrete (U, G, D) for which subgroup membership and subgroup escape problems are hard. Answer: Elliptic curves over Z n, where n=pq. Bilinear groups with specific order.

Elliptic Curves over Z n Set of (x:y:z) such that y 2 z ≡ x 3 + axz 2 + bz 3 (mod n) where gcd(4a 2 -27b 3,n)=1. Fact: Points of elliptic curve form an additive group E(Z n ) for n=pq. Key property of E(Z n ): hard to find new group elements except by using group operation on previously known group elements. Previously considered a nuisance [Lenstra ‘87, Demytko ‘98] rather than a useful cryptographic property [Gjøsteen ’04]. P1P1 P2P2 P 1 + P 2

Elliptic Curves over Z n (cont.) Challenge: Find (x:y:z) such that y 2 z ≡ x 3 + axz 2 + bz 3 (mod n). Answer: It seems hard! Choose x and solve for y: compute √mod n. Choose y and solve for x: solve cubic equation. Find x and y simultaneously: not obvious. LLL-based methods don’t seem to pose a threat. Finding rational non-torsion points on curves over Q seems hard.

Elliptic Curves over Z n (cont.) Let p,q,l 1,l 2,l 3 be primes. Using complex multiplication techniques [Lay- Zimmer ‘94], we can find curves E p /F p and E q /F q with #E p (F p )=l 1 l 2, #E q (F q )=l 3. Let n=pq. Then E(Z n ) ¼ E p (F p ) £ E q (F q ) with #E(Z n )=l 1 l 2 l 3. Let U be projective plane, G be E(Z n ), and D · G be its subgroup of order l 1 l 3. Let PK=(G,D,n), SK=(p,q,l 1,l 2,l 3 ). U GD invalid signal dummy

Elliptic Curves over Z n (cont.) Verification Algorithm: Given a coupon (x:y:z), it is easy to check if y 2 z ≡ x 3 +axz 2 +bz 3 (mod n). Subgroup Membership Problem: Hard to distinguish elements of D (order l 1 l 3 ) from elements of G n D.  For E P (F P ), distinguishing elements of prime order from elements of composite order is hard unless can factor #E P (F P ) [Gjo05].  Computing #E(Z n ) is as hard as factoring n [Kunihiro-Koyama ’98].  Thus, #E p (F p ) is hidden. Subgroup Escape Problem: Hard as long as adversary cannot find random group elements in G=E(Z n ).

Spreading alerts with the BCM During initial network setup, the administrator generates keys for BCM (G, C, V, D). He gives dummy coupons to all nodes. Sentinel nodes also receive signal coupons

Spreading alerts with the BCM Nodes continually broadcast coupons to their neighbors. - Initially, everyone transmits dummy coupons. - Sentinel nodes switch to sending signal coupons upon detecting an attacker. Attacker may tamper with messages

Spreading alerts with the BCM Upon receiving a coupon, a node verifies that the coupon is valid V( )=0 V( )=1

Spreading alerts with the BCM Upon receiving a coupon, a node verifies that the coupon is valid. If the coupon is valid, the node combines it with its own coupon. Otherwise, the coupon is discarded C(, ) 0 1 0

Security theorem Theorem: If the BCM is secure, then so is the alert propagation mechanism. Proof idea: Because adversary cannot distinguish between dummy and signal coupons, he cannot test their presence or absence in the network traffic. Same for coupon forgery.

Efficiency Synchronous flooding model: All nodes receive an alert in  steps, where  is the diameter of the subgraph of non-faulty nodes. Simple epidemic model: Communication graph is complete. All nodes receive an alert in O(n log n) steps.

Conclusion Useful crypto primitive BCM ( Æ -homomorphic bit commitment). It can be used to construct an undetectable anonymous private channel. New crypto tool? Subgroup escape assumption. Non-interactive proofs of circuit satisfiability of length linear in the number of Æ gates. Applications to i-voting [Chaum et al. ’04].

Open problems Can BCM with constant expansion ratio be constructed using standard assumptions? Can we transmit multiple bits without a linear blow up in message size? ?